| 9331 |
2024-06-07 09:37
|
 Tlcf4ubbOhvrFYkon.exe 9c4b350eb7315c2f6f4b2eb64bccd918
Formbook Malicious Library AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process Windows DNS Cryptographic key crashed |
6
http://www.caxars.store/muti/
http://www.eshopkhaliji.store/muti/?8p=PenW7MtlXSrvxOPA1PJj8U2jUUvXlhwVh1FpwKQCNXiCStQ1MIBfQTqa3m2cpudHTvQpU++Q&4h=vTxdQD-PSRspeX7&sql=1
http://www.eshopkhaliji.store/muti/
http://www.shopadamsstore.com/muti/?8p=rUMPbDi9V+hLkBWFtVE1y7T4O5kE79Gi8Nwpb3xjlkSgEF4tpwDWlQ4hDt2c39K6jtdDQHz5&4h=vTxdQD-PSRspeX7&sql=1
http://www.caxars.store/muti/?8p=vAkEv8VlD6HvoJ7OTZ3UyhPmsIwewVN5MI8wV+ea/g1itgmvOaYSZ0nMfK3GudfMXpkuz2fr&4h=vTxdQD-PSRspeX7&sql=1
http://www.shopadamsstore.com/muti/
|
8
www.caxars.store(91.184.0.200)
www.eshopkhaliji.store(158.176.194.183)
www.shopadamsstore.com(23.227.38.74)
www.kampspacex.com()
45.33.6.223
23.227.38.74 - mailcious
141.125.157.19
91.184.0.200 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
|
|
10.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9332 |
2024-06-07 09:36
|
lionsarekingofthejunglewhotrul... c5af2617421f885a9772a4b51b80cb2a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://103.182.19.148/6060/pointingthejunglelionontheimagescool.bmp
https://paste.ee/d/SrD1H
|
3
paste.ee(172.67.187.200) - mailcious
103.182.19.148 - malware
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9333 |
2024-06-07 09:34
|
 Update.exe 4c6f04a706e2ca2a0b722336675318da
Malicious Library Downloader UPX PE File PE32 MZP Format OS Processor Check Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic unpack itself AppData folder Windows RCE DNS |
2
http://getcloudsolutions.dev/PmCw4fD/index.php?scr=1
http://getcloudsolutions.dev/PmCw4fD/index.php
|
3
getcloudsolutions.dev(84.38.181.245)
45.33.6.223
84.38.181.245
|
1
ET MALWARE Amadey Bot Activity (POST) M1
|
|
6.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9334 |
2024-06-07 09:34
|
 john.scr 280899776fbfcf98c505bf8efe0bbb5e
Generic Malware Malicious Library .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
18
http://www.stellardaysigning.com/xb5p/
http://www.fullmoonbird.com/c8sr/?NP0FyU=zxCFcO6tuZe6Dlje2mnTfb6r7hCrJw1WRvLQy3p8EhQbFOxorE0QYFIsUppT5UxA2U7/AhBO7aGzpI5DsnNWO/n9u3OyDwlwLJozLrszN4iVUZEIkN4QT6y8EX8/9tm01YM9dRM=&kESy=xgbqg
http://www.kvatromusic.online/yjik/?NP0FyU=gdGtnhc9ASA4qX4b34OgRoYxE/bD+nb59vJiz4FtHHCSzpBYLiuXgNVcIgjaJpSMIjXnBANqWDNRr5Ocy1GAv43NZgQpgrLVhi6C63ziyaNAbXqEiKgPKznZLTw5BnTXjQFFRAg=&kESy=xgbqg
http://www.6666111p.vip/y3do/?NP0FyU=LOchJJI7j7x4RSIZOmRKrvMdEDW/MUxucIo24swAQXAkKIo03dsxd6yGfyoydnm7SmxXMXwHD0q4GFP2LgOY7CsTmAi6O8Bpro54P9T4NSt7/iYty+/boiJQGB1N3z+f5OnconY=&kESy=xgbqg
http://www.6666111p.vip/y3do/
http://www.hsck520.com/0tno/?NP0FyU=0cMGHWchhwDqjfnLTJDBZveg9su8HvUeph8XCipGvt+qmCtRZPbLeKFNzMXXlvLfrfTQKCJHTw1MhSXlslZDoNUiVnTSVKsqzzLfuZrJDhCegOsSgpp1goso0jrOzq9yXpycRq0=&kESy=xgbqg
http://www.silverbrit.info/kj8f/?NP0FyU=4t9Vdj82cePVf5tb2btNPfj+cF91LcmybOtR99dnAhd1RJtV43KyF44o/jxPyXILLT2c7dvr4ObZNHuTbQFO2r18ofp9GNB90rnp1Ohw/CJp1ZbSd7nYHKYFKR9pZcLJ+FI+J6g=&kESy=xgbqg
http://www.stellardaysigning.com/xb5p/?NP0FyU=j+BD0p8WhtBdy7Wd/KfVtBKjF7uQGjkUu2IQ9c2WN0jGyCZp1k8Rj1+VKsyVC4FAIa7rNa0t7jcnj4LfrYK/jtIwEqPY6NFmTaOReXQoO8B2hiELl0EMSu8ktx1OCucJ4jnvo9M=&kESy=xgbqg
http://www.silverbrit.info/kj8f/
http://www.double2nllc.com/lphk/?NP0FyU=QQ9AzHzvXAdOb0MPNLfjUpWPUVpZplRrayXzypMYhteyq/MKivL68z82kZS9u6bhgeBbY+QYkFf+kg9uvjJAnI3fPdAT94WYiFSy6W9ZWxao1mFD7NGeSFfqjgfGWtv75CStAYk=&kESy=xgbqg
http://www.hsck520.com/0tno/
http://www.yetung.com/7ru5/
http://www.kvatromusic.online/yjik/
http://www.yetung.com/7ru5/?NP0FyU=ISPW+m88VBQNqH+k3JW84YG5Fk7QLrErwcAnWTSXodWIF9bOo25oIut7GSly+JY6T9/fHFYUtdHtiF5inQf0UQqeKTQ7bI9uaPa6a3iFF9Uz86xGPiVez/GDzFjvFDmTYUOptkY=&kESy=xgbqg
http://www.fullmoonbird.com/c8sr/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.double2nllc.com/lphk/
http://www.beescy.xyz/pdwc/
|
20
www.double2nllc.com(84.32.84.32)
www.kvatromusic.online(37.140.192.90)
www.yetung.com(121.37.199.72)
www.6666111p.vip(35.186.221.100)
www.fullmoonbird.com(172.67.176.31)
www.beescy.xyz(162.0.213.72)
www.hsck520.com(35.190.52.58)
www.stellardaysigning.com(76.223.67.189)
www.silverbrit.info(217.160.230.215)
172.67.176.31
121.37.199.72
35.190.52.58
37.140.192.90
84.32.84.32 - mailcious
35.186.221.100
162.0.213.72
82.157.201.41 - malware
45.33.6.223
76.223.67.189
217.160.230.215
|
|
|
12.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9335 |
2024-06-07 09:34
|
 envio.js 0eea6ce45e121ed22b89a006b3a4c1c3
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://188.126.90.5/envifa.vbs
|
|
|
|
6.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9336 |
2024-06-07 09:33
|
john.doc da2543ed3a6567896c950bfeb597814b
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself suspicious TLD Tofsee Exploit DNS crashed |
25
https://universalmovies.top/john.scr
http://www.6666111p.vip/y3do/?Ugn9C=LOchJJI7j7x4RSIZOmRKrvMdEDW/MUxucIo24swAQXAkKIo03dsxd6yGfyoydnm7SmxXMXwHD0q4GFP2LgOY7CsTmAi6O8Bpro54P9T4NSt7/iYty+/boiJQGB1N3z+f5OnconY=&Pk=WONpQ
http://www.6666111p.vip/y3do/
http://www.sjzsls.com/9s2m/?Ugn9C=/AdC9GegXDS/vzNv1Epb/BfZDITsTVSRF0qSIgfFe+x3a1YrqDLlvj5NbVdHoQQDF7Kc5dLcM8fpOgktz/3sEUGAQfvn12WDGpve1l9b9ctB4wuylPXfAChK8iXjKhCfF0ELu94=&Pk=WONpQ
http://www.kvatromusic.online/yjik/
http://www.yetung.com/7ru5/?Ugn9C=ISPW+m88VBQNqH+k3JW84YG5Fk7QLrErwcAnWTSXodWIF9bOo25oIut7GSly+JY6T9/fHFYUtdHtiF5inQf0UQqeKTQ7bI9uaPa6a3iFF9Uz86xGPiVez/GDzFjvFDmTYUOptkY=&Pk=WONpQ
http://www.silverbrit.info/kj8f/?Ugn9C=4t9Vdj82cePVf5tb2btNPfj+cF91LcmybOtR99dnAhd1RJtV43KyF44o/jxPyXILLT2c7dvr4ObZNHuTbQFO2r18ofp9GNB90rnp1Ohw/CJp1ZbSd7nYHKYFKR9pZcLJ+FI+J6g=&Pk=WONpQ
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.beescy.xyz/pdwc/
http://www.stellardaysigning.com/xb5p/
http://www.kvatromusic.online/yjik/?Ugn9C=gdGtnhc9ASA4qX4b34OgRoYxE/bD+nb59vJiz4FtHHCSzpBYLiuXgNVcIgjaJpSMIjXnBANqWDNRr5Ocy1GAv43NZgQpgrLVhi6C63ziyaNAbXqEiKgPKznZLTw5BnTXjQFFRAg=&Pk=WONpQ
http://www.double2nllc.com/lphk/?Ugn9C=QQ9AzHzvXAdOb0MPNLfjUpWPUVpZplRrayXzypMYhteyq/MKivL68z82kZS9u6bhgeBbY+QYkFf+kg9uvjJAnI3fPdAT94WYiFSy6W9ZWxao1mFD7NGeSFfqjgfGWtv75CStAYk=&Pk=WONpQ
http://www.yetung.com/7ru5/
http://www.fullmoonbird.com/c8sr/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.hsck520.com/0tno/?Ugn9C=0cMGHWchhwDqjfnLTJDBZveg9su8HvUeph8XCipGvt+qmCtRZPbLeKFNzMXXlvLfrfTQKCJHTw1MhSXlslZDoNUiVnTSVKsqzzLfuZrJDhCegOsSgpp1goso0jrOzq9yXpycRq0=&Pk=WONpQ
http://www.jx2493.com/pozw/?Ugn9C=JIthcwf9sV4p+C20h/op7zy5aemm7SHr7Am9g1UXd9f/iLUD4eooIAhG548dbPLUr+vOyGwxDijlULi7DZZIjWvc3k9KEblL0qsgRpAZgA0owE5+Y5cgNDkhDspksm+EjunSeOk=&Pk=WONpQ
http://www.stellardaysigning.com/xb5p/?Ugn9C=j+BD0p8WhtBdy7Wd/KfVtBKjF7uQGjkUu2IQ9c2WN0jGyCZp1k8Rj1+VKsyVC4FAIa7rNa0t7jcnj4LfrYK/jtIwEqPY6NFmTaOReXQoO8B2hiELl0EMSu8ktx1OCucJ4jnvo9M=&Pk=WONpQ
http://www.silverbrit.info/kj8f/
http://www.hsck520.com/0tno/
http://www.fullmoonbird.com/c8sr/?Ugn9C=zxCFcO6tuZe6Dlje2mnTfb6r7hCrJw1WRvLQy3p8EhQbFOxorE0QYFIsUppT5UxA2U7/AhBO7aGzpI5DsnNWO/n9u3OyDwlwLJozLrszN4iVUZEIkN4QT6y8EX8/9tm01YM9dRM=&Pk=WONpQ
http://www.sjzsls.com/9s2m/
http://www.jx2493.com/pozw/
http://www.double2nllc.com/lphk/
http://www.beescy.xyz/pdwc/?Ugn9C=YGoy3hUgePQdZVGVI2JgguyNtFd/fyj/zkAvTLDf/KtKm9LDDFlO5Xfik+cH5iVSfdOqayVG+ARiT1VFNZO4tzOVhNMvL1fpmyaeyhkJTFsxeS49wBXCfHO+yKB+0kMKDU35Y5s=&Pk=WONpQ
|
25
www.sjzsls.com(154.212.44.122)
www.double2nllc.com(84.32.84.32)
www.kvatromusic.online(37.140.192.90)
www.yetung.com(121.37.199.72)
www.jx2493.com(103.195.51.41)
www.6666111p.vip(35.186.221.100)
www.fullmoonbird.com(172.67.176.31)
www.beescy.xyz(162.0.213.72)
universalmovies.top(104.21.74.191) - malware
www.hsck520.com(35.190.52.58)
www.stellardaysigning.com(13.248.213.45)
www.silverbrit.info(217.160.230.215)
121.37.199.72
104.21.48.23
35.190.52.58
13.248.213.45
37.140.192.90
84.32.84.32 - mailcious
35.186.221.100
162.0.213.72
103.195.51.41
154.212.44.122
45.33.6.223
217.160.230.215
104.21.74.191 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9337 |
2024-06-07 09:33
|
 lenin.exe fb2f90584265d465b4046c9a4e7c9bfa
UPX PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
104.26.5.15
34.117.186.192
147.45.47.126 - mailcious
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
|
|
16.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9338 |
2024-06-07 09:29
|
 xxun.exe 3311b8c3707f75831aa443db406c71e0
AntiDebug AntiVM PE File PE32 VirusTotal Malware AutoRuns Code Injection Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder Windows DNS |
|
1
|
|
|
6.8 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9339 |
2024-06-06 14:51
|
 com.wag.walker_2.74.1.apk 54be4e2a316b871562c40088db968778
ZIP Format ftp Word 2007 file format(docx) OS Processor Check |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9340 |
2024-06-06 14:27
|
 SetupTools.exe 5ec12277c0679d4761d265dd821f674f
Generic Malware Malicious Library UPX Antivirus PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell Telegram AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS Cryptographic key |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9341 |
2024-06-05 23:26
|
 ICARUS.Setup.exe 225fcf1e03e30b492bd0aef35969329b
Emotet Gen1 NSIS Generic Malware Malicious Library UPX Malicious Packer Anti_VM Javascript_Blob PE File PE32 DLL PE64 OS Processor Check DllRegisterServer dll BMP Format Lnk Format GIF Format icon VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Auto service Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check Tofsee Ransomware GameoverP2P Interception Zeus Windows ComputerName Trojan Banking |
3
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3c775e75-aff8-4af1-aede-7a5c0349aa0b?P1=1718201907&P2=404&P3=2&P4=WiuGZ5IY9kx3eECOliePn%2bZR2Oa2T%2fIA6AoadHbz1e2TomQPzt6zla8iSDn3KibvVKZ7rCsNDdx37Vncvson%2bw%3d%3d
https://msedge.api.cdp.microsoft.com/api/v1.1/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/latest?action=select
https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/125.0.2535.85/files?action=GenerateDownloadInfo&foregroundPriority=true
|
9
msedge.f.tlu.dl.delivery.mp.microsoft.com(199.232.214.172)
msedge.api.cdp.microsoft.com(20.114.58.89)
self.events.data.microsoft.com(20.189.173.3)
config.edge.skype.com(52.123.254.33)
23.56.109.165
13.107.42.16
13.89.179.9
13.95.26.4
51.104.15.252
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
13.0 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9342 |
2024-06-05 09:27
|
 Auto%20R.exe 351650a422e427140d74d8c68185fa24
Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume Cry FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
19
http://www.techchains.info/fo8o/?Kp=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&VOyp=e8WDb - rule_id: 39858
http://www.magmadokum.com/fo8o/?Kp=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&VOyp=e8WDb - rule_id: 39856
http://www.elettrosistemista.zip/fo8o/?Kp=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&VOyp=e8WDb - rule_id: 39860
http://www.rssnewscast.com/fo8o/?Kp=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&VOyp=e8WDb - rule_id: 39857
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.donnavariedades.com/fo8o/ - rule_id: 39861
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.3xfootball.com/fo8o/?Kp=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&VOyp=e8WDb - rule_id: 39852
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.donnavariedades.com/fo8o/?Kp=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&VOyp=e8WDb - rule_id: 39861
http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/?Kp=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&VOyp=e8WDb - rule_id: 39855
http://www.goldenjade-travel.com/fo8o/?Kp=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&VOyp=e8WDb - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.kasegitai.tokyo/fo8o/?Kp=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&VOyp=e8WDb - rule_id: 39853
|
20
www.elettrosistemista.zip(195.110.124.133) - mailcious
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.donnavariedades.com(23.227.38.74) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
195.110.124.133 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
45.33.6.223
23.227.38.74 - mailcious
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Observed DNS Query to .zip TLD
ET INFO HTTP Request to a *.zip Domain
|
18
http://www.techchains.info/fo8o/
http://www.magmadokum.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.3xfootball.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.magmadokum.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.kasegitai.tokyo/fo8o/
|
6.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9343 |
2024-06-05 09:26
|
 dion.hta 24be5183dd56c3d08bae8625fba83aaa
Formbook Gen1 Generic Malware Suspicious_Script_Bin Process Kill Antivirus Malicious Library FindFirstVolume CryptGenKey UPX Malicious Packer PowerShell PE File DLL PE32 Device_File_Check OS Processor Check FormBook Browser Info Stealer Malware download Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key crashed |
4
http://198.23.201.89/warm/Auto%20R.exe
http://www.3xfootball.com/fo8o/?9LnGaVx=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&9KJ=FLmtL7Haabh3IASW - rule_id: 39852
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.3xfootball.com/fo8o/ - rule_id: 39852
|
4
www.3xfootball.com(154.215.72.110) - mailcious
45.33.6.223
198.23.201.89 - malware
154.215.72.110 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET) M5
|
2
http://www.3xfootball.com/fo8o/
http://www.3xfootball.com/fo8o/
|
13.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9344 |
2024-06-05 09:23
|
lionsarekingofthejunglewhichcr... 96094535fe4ae7ea46eb3df5e0b45231
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://185.222.58.78/300333/lionsgetgorestkingenitreworldimage.bmp
https://paste.ee/d/uRpyT - rule_id: 40036
|
3
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
185.222.58.78 - mailcious
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
|
4.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9345 |
2024-06-05 09:20
|
lionsarekingofthejunglewhorule... c5858e4c690557b5240597db6e4d88c9
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://198.23.227.213/20040/igcc.exe
|
2
45.33.6.223
198.23.227.213 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|